Gardner:
We're excellent. We've talked before, Abe, and I'm really delighted to
have you back. I want to start at a high level. Many organizations are
now focusing more on the user experience and the business benefits and
less on pure technology, and for many, it's a challenge. From a very
high level, how do you perceive the best way to go about a cultural
shift, or an organizational shift, from a technology focus more towards
this end-user experience focus?

The CIO has to keep his eye forward to periodically change tracks,
ensuring that the customers are getting the best value for their money.

Naguib:
Well, Paul and Dana, there are several paradigms involved from the COO
and CFO’s push on innovation and efficiency. A lot of the tooling that
we use, a lot of the products we use help to fully diversify and resolve
some of the challenges we have. That’s to keep change running.

The
CIO has to keep his eye forward to periodically change tracks, ensuring
that the customers are getting the best value for their money. That’s a
tall order and, he has to predict benefit, gauge value, maintain
integrity, socialize, and evolve the strategy of business ideas on how
technology should run.

We have to manage quite a few
challenges from the demand of operating a global franchise. Our COE
looks at various levels of optimization and one key target is customer
service, and factors that drive the value chain.

That’s
aligning DevOps to business, reducing data-center sprawl, validating
and making sense of vendors, products, and services, increasing the return on investment (ROI) and total cost of ownership (TCO) of emerging technologies, economy of scale, improving services and hybrid cloud
systems, as we isolate and identify the cascading impacts on systems.
These efforts help to derive value across the chain and eventually help
improve customer value.

Gardner: Paul Muller,
does this jibe with what you're seeing in the field? Do you see an
emphasis that’s more on this sort of process level, when it comes to IT
with of course more input from folks like the COO and the chief
financial officer?

Level of initiatives

Muller:
As I was listening to Abe's description I was thinking that you really
can tell the culture of an organization by the level of initiatives and
thinking that it has. In fact, you can't change one without changing the
other. What I've just described is a very high level of cultural
maturity.

Paul Muller

We
do see it, but we see it in maybe 10 to 15 percent of organization that
have gone through the early stages of understanding the performance and
quality of applications, optimizing it for cost and performance, but
then moving through to the next stage, reevaluating the entire chain,
and looking to take a broader perspective with lots of user experience.
So it's not unique, but it's certainly used among the more mature in
terms of observational thinking.

Gardner: For
the benefit of our audience, Abe, tell us a little bit about AIG, its
breadth, and particularly the business requirements that your Global
Performance Architecture Group is tasked with meeting?

Naguib: Sure, Dana. AIG
is a leading international insurance organization, across 130
countries. AIG’s companies serving commercial, institutional, individual
customers, through one of the world’s most extensive property/casualty
networks, are leading providers of life insurance and retirement
services in the US.

Among the brand pillars that we
focused on are integrity, innovation, and market agility across the
variety of products that we offer, as well as customer service.

Bringing together our business-critical and strategic drivers across
IT’s various segments fosters alignment, agility, and eventually unity.

Gardner: And how about the Global Performance Architecture Group? How do you fit into that?

Naguib:
With AIG’s mantra of "better, faster, cheaper," my organization’s
people, strategy, and comprehensive tools help us to bridge these gaps
that a global firm faces today. There are many technology objectives
across different organizations that we align, and we utilize various HP solutions to drive our objectives, which is getting the various IT delivery pistons firing in the same direction and at the right time.

Our role eventually moved out of quality assurance's QA’s functional testing area to focus on emphasizing application performance,
architecture design patterns, emerging technologies, infrastructure and
consolidation strategies, and risk mitigation, as well increasing ROI
and economy of scale. With the right people, process, and tools, our
organization enabled IT transparency and application tuning, reduced infrastructure
consumption, and accelerated resolution of any system performances in
dev and production.

The key is bringing together our
business-critical and strategic drivers across IT’s various segments
fosters alignment, agility, and eventually unity. Now, our leaders seek
our guidance to help tune IT at some degree of financial performance to
unlock optimal business value.

Culture of IT

Gardner:
What's interesting to me, Paul, about what Abe just said is the
evolution of this from test and dev in QA to a broader set of first IT,
then operations, and then ultimately even through that culture of IT
generally. Is that a pattern you're seeing that the people in QA are in
the sense breaking out of just an application performance level and
moving more into what we could call IT performance level?

Muller:
As I was listening to Abe talk through that, there were a couple of
keywords that jumped out that are indicators of maturity. One of them is
the recognition that, rather than being a group-sized task, things like
application, quality performance, and user experience actually are a
discipline that can be leveraged consistently across multiple
organizational units and, whether you centralize it or make it uniform
across the organization is an important part of what you just described.

Maturity
of operational and strategic alignment is something that requires a
significant investment on business’s and IT’s behalf to prove early
returns by doing a good job on some of the smaller projects. This shows a
proven return on investment before the organization is typically going
to be willing to invest in creating a centralized and an uniform
architecture group.

Gardner: Abe, do you have some response to that?

Naguib:
Yes, more-and-more, in the last six or seven years, there's less focus
on just basic performance optimization. The focus is now on business
strategy impact on infrastructure CAPEX, and OPEX. Correlating business use cases to impact on infrastructure is the golden grail.

I always say that software drives the hardware.

Once
you start communicating to CIOs the impact of a system and the cost of
hosting, licensing, headcount, service sprawl, branding, and services
that depend on each other, we're more aligning DevOps with business.

Muller:
You can compare the discussion that I just had with a conversation I
had not three weeks ago with a financial institution in another part of
the world. I asked who is responsible for your end-to-end business
process -- in this case I think it was mortgage origination -- and the
entire room looked at each other, laughed, and said "We don't know."

So
you've really got this massive gap in terms of not just IT process
maturity, but you also have business-process maturity, and it's very
challenging, in my experience, to have one without having the other.

Gardner:
I think we have to recognize too that most businesses now realize that
software is such an integral part of their business success. Being adept
at software, whether it's writing it, customizing it, implementation
and integration, or just overall lifecycle has become kind of the
lifeblood of business, not just an element of IT. Do you sense that,
Abe, that software is given more clout in your organization?

Naguib:
Absolutely Dana. I truly believe that. I've been kind of an internal
evangelist on this, but I always say that software drives the hardware.
Whether I communicate with the enterprise architects, the dev teams, the
infrastructure teams, software frankly does drive the hardware.

That's
really the key point here. If you start managing your root cost and
performance from a software perspective and then work your way out,
you’ve got the key to unlocking everything from efficiencies to
optimizing your ROI and to addressing TCO over time. It's all business
driven. Know your use cases. Know how it impacts your software, which
impacts your infrastructure.

Converged infrastructure

Gardner: Of course, these days we’re hearing more about software-defined networking, software-defined data centers,
and converged infrastructure. It really does start to come together, so
that you can control, manage, and have a data-driven approach to IT,
and that fits into ITIL
and some of the other methodologies. It really does seem to be kind of a
golden age for how IT can improve as performance, as productivity, and
of course as a key element to the overall business. Is that what you’re
finding too, Abe?

More
and more, it's a domino effect. If you don't identify the root cause,
isolate it, and resolve it, the impact does have a cascading effect, on
optimization, delivery, and even cost, as we’ve seen repeatedly in the
last couple of years. That’s how we communicate to our C-level community.

Gardner:
Of course we have to recognize it. Just being performant, optimized,
and productive for its own sake isn’t good enough in this economy. We
have to show real benefits, and you have to measure those benefits.
Maybe you have some way to translate how this actually does benefit your
customers. Any metrics of success you can share with us, Abe?

Naguib:
Yes, during our initial requirements-gathering phase with our business
leaders, we start defining appropriate test-modeling strategy, including
volumetrics, and managing and understanding the deployment pattern with
subscriber demographics and user roles. We start aligning DevOps
organizations with business targets which improves delivery
expectations, ROI, TCO, and capacity models.

The big transformation taking place right now is that our organization
is connecting different silos of IT delivery, in particular development,
quality, and operations.

Then, before
production, our Application Performance Engineering (APE) team
identifies weak spots to provide the production team with a reusable
script setting thresholds on exact hotspots in a system, so that
eventually in production, they can take appropriate productive measures.
Now, this is value add.

Gardner: Paul, do you
have any thoughts in terms of how that relates to the larger software
field, the larger enterprise performance field?

Muller:
As we’re seeing across the planet at the moment, there's a recognition
that to bring great software and information is really a function of
getting Layers 1 through 7 in the technology stack working, but it's also about getting Layer 8 working. Layer 8, in this case, is the people. Unfortunately, being technologists, we often forget about the people in this process.

What
Abe just described is a great representation of the importance of
getting not just a functional part of IT, in this case quality and
performance working well, but it's about recognizing the software will
one day be delivered to operational staff to internally monitor and
manage it in a production setting.

The big
transformation taking place right now is that our organization is
connecting different silos of IT delivery, in particular development,
quality, and operations, to help them accelerate the release of quality
applications, and to automate things like threshold setting, and
optimize monitoring of metrics ahead of time. Rather than discovering
that an application might fail to perform in a production setting, where
you've got users screaming at you, you get all of that work done ahead
of time.

Sharing and trust

You
create a culture of sharing and trust between development, quality, and
operations that frankly doesn’t exist in a lot of process where the
relationship between development and operations is pretty strained.

Gardner:
Abe, how do you measure this? We recognized the importance of the
metrics, but is there a new coin of the realm in terms of measurement?
How do you put this into a standardized format that you’re going to take
to your CFO and your COO and say here’s what's really happening?

Naguib:
That's a good question. Tying into what Paul was saying, nobody cared
about whether we improved performance by three seconds or two seconds.
You care at the front end, when you hear users grumbling. The bottom
line is how the application behaves, translating that into business
impact as well as IT impact.

Business impact is what
are the dollar values to make key use cases and transactions that don't
scale. Again, software drives the hardware. If an application consumes
more hardware, the hardware is cheap now-a-days, but licenses aren’t.
You have database and you have middleware products running in that
environment, whether it's on-premise or in the cloud.

The
point is that impact should be measured, and that's how we started
communicating results through our organization. That's when we started
seeing C-level officers tuning in and realizing the impact of
performance of both to the bottom line, even to the top line.

We were able to leverage consistent dashboards across different IT
solutions internally, then target weak spots and help drive optimization.

Gardner:
It strikes me, Abe, that this is going to set you up to be in a better
position to move to cloud models, consume more SaaS services, as you
mentioned earlier, and to become more of a hybrid services delivery shop
or have that capability. Does that make sense? Do you feel more
prepared for what this next level of compute architecture you seem to be
heading toward as a result of the investments you've made?

Naguib: Absolutely Dana. Our role is to provide more insight earlier and quicker to the right people at the right time.

Leveraging
HP’s partnership and solutions helped us to address technologies,
whether Web 2.0, client-server, legacy systems, Web, cloud-based, or
hybrid models. We were able to leverage consistent dashboards across
different IT solutions internally, then target weak spots and help drive
optimization, whether on premise or cloud.

Gardner:
Paul Muller, thoughts about how this is working more generally in the
market, how people who get a grasp on global performance architecture
issues like AIG are then in a better position to leverage and exploit
the newer and far more productive types of computing models?

Muller:
In the enterprise today, it's all about getting your ideas out of your
head and making them a reality. As Abe just described, most of the best
ideas today that are on their way into business processes you can
ultimately turn into software. So success is really all about having the
best applications and information possible.

Understand maturity

The
challenge is understanding how the technology, the business process and
the benefits come together and then orchestrating that the delivery of
that benefit to your organization. It's not something that can be done
without a deliberate focus on process. Again, the challenge is always
understanding your organization's maturity, not just from an IT
standpoint, but importantly from a broader standpoint.

Naguib:
What's the common driver for all? Money talks. Translating things into a
dollar value started to bring groups together to understand what we can
do better to improve our process.

Gardner: Abe,
it strikes me that you guys are really fulfilling this value epicenter
role there and expanding the value of that role outside the four walls
of IT into the larger organization. Tell me how HP is joining you in a
partnership to do that? What is it that you're bringing to the table to
improve that value for the epicenter of value benefit?

Naguib:
Dana, what we're seeing more is that it's not just internal dev and ops
that we're aligning with, or even our business service level
expectations. It's also partnerships with key vendors that have opened
up the roadmap to align our technologies, requirements, and our
challenges into those solutions.

The gains we make are
simple. They can be boiled down into three key benefits: savings,
performance, and business agility. Leveraging HP's ALM
solutions helps us drive IT and business transformation and unlock
resources and efficiencies. That helps streamline delivery and an
increased reliability of our mission critical systems.

After we've dealt with tuning, we can help activate post-production
monitoring using the same script, understanding where the weak spots
are.

My favorite has always been HP's LoadRunner Performance Center.
It’s basically our Swiss Army Knife to support diverse platform
technologies and align business use cases to the impact on IT and
infrastructure via SiteScope, HP SiteScope.

We're able
to deep dive into the diagnostics, if needed. And the best part is,
after we've dealt with tuning, we can help activate post-production
monitoring using the same script, understanding where the weak spots
are.

So the tools are there. The best part is integrated, and actually work together very well.

Muller:
One of the questions I get a lot from organizations is how we measure
and reflect the benefit. What hard data have you managed to get?

Three-month study

Naguib:IDC
came in and did an extensive three-month study, and it was interesting
what they have found. We've realized a saving of more than $11 million
annually for the past five years by increasing our economy of scale.
Scale on a system allows more applications on the same host.

It's
an efficiency from both hardware and software. They also found that our
using solutions from HP increased staff productivity by over $300,000 a
year. Instead of fighting fires, we're actually now focusing on
innovation, and improving business reliability by over $600,000 a year.

So
all that together shows a recoup, a five-year ROI, about 577 percent. I
was very excited about that study. They also showed that we resolved
mean time resolution over 70 percent through production debugging, root
cause, and resolution efforts.

So what we found, and
technologists would agree with me, is that today, with hardware being
cheaper than software, there is a hidden cost associated with hosting an
application. The bottom line, if we don’t test and tune our
applications holistically, either the architecture, code,
infrastructure, and shared services, these performance issues can
quickly degrade quality of service, uptime, and eventually IT value.

I have a saying, which is that quality costs money but bad quality costs more.

Muller: I have a saying, which is that quality costs money but bad quality costs more. There you go.

Gardner:
Abe, any recommendations that you might have for other organizations
that are thinking of moving in this direction and that want to get more
mature, as Paul would say. What are some good things to keep in mind as
you start down this path?

Naguib: Besides
software drives the hardware -- and I can't stress that enough -- are
all the ways to understand business impact and translate whatever you're
testing into the business model.

What happens to the
scenarios such as outages? What happens when things are delayed? What is
the impact on business operability, productivity, liability, customer
branding. There are so many details that stem from performance. We used
to be dealing with the "Google factor" of two-second response time, but
now, we're getting more like millisecond response, because there are so
many interdependencies between our systems and services.

Another
fact is that a lot of products come into our doors on a daily basis.
Modern technologies come in with a lot of promises and a lot of
commitments.

Identify what works

So
it's being able to weed through the chaff, identify what works, how the
interdependencies work, and then, being able to partner with vendors of
those solutions and services. Having tools that add transparency into
their products and align with our environment helps bring things
together more. Treating IT like a business by translating the impact
into dollar value, helps to get lined up and responsive.

Gardner:
Very good. Last word to you, Paul. Any thoughts about getting started?
Are there principles that you are seeing in common, threads or themes
for organizations, as they begin to get the maturity model in place and
extend quality and process performance assurance improvements even more
generally into their business?

Muller: It might
be a little controversial here, but the first step is look in the mirror
and understand your organization and its level of maturity. You really
need to assess that very self-critically before you start. Otherwise,
you're going to burn a lot of capital, a lot of time, and a lot of
credibility trying to make a change to an organization from state A to
state B. If you don’t understand the level of maturity of your present
state before you start working on the desired state, you can waste a lot
of time and money. It's best to look in the mirror.

The
second step is to make sure that, before you even begin that process,
you create that alignment and that desired state in the construct of the
business. Make sure that your maturity aligns to the business's
maturity and their goal. I just described the ability to measure the
business impact in terms of revenue of IT services. Many companies can’t
even do something as fundamental as that. It can be really hard to
drive alignment, unless you’ve got business-IT alignment ahead of time.

I
have said this so many times. The technology is a manageable problem,
Layers 1 through 7, including management software to a certain degree,
have solved problems the most time. Solving the problem of Layer 8 is
tough. You can reboot the server, but you can’t reboot a person.

Solving the problem of Layer 8 is tough. You can reboot the server, but you can’t reboot a person.

I
always recommend bringing along some sort of management of
organizational change function. In our case, we actually have a number
of trained organizational psychologists working for us who understand
what it takes to get several hundred, sometimes several thousand, people
to change the way they behave, and that’s really important. You’ve got
to bring the people along with it.

Gardner: Well we
have to take a hint from you, Paul. Maybe our next topic will be The
Psychology of IT, but we won’t be able to get to that today. I am afraid
we'll have to leave it there and I have to thank our co-host Paul
Muller, the Chief Software Evangelist at HP. Thanks so much for joining
us.

Muller: Always a pleasure.

Gardner: And like to thank our supporter for this series, HP Software,
and remind our audience to carry on the dialogue with Paul and other
experts there at HP through the Discover Performance Group on LinkedIn.

You
can gain more insights and information on the best of IT performance
management at www.hp.com/go/discoverperformance. And you can always
access this in other episodes of our HP Discover Performance podcast
series at hp.com and on iTunes under BriefingsDirect.

Of
course, we also extend a big thank you to our guest. Abe Naguib, Senior Director of AIG’s Global Performance Architecture Group.
Thanks so much, Abe.

Gardner:
Again, a last thank you to our audience for joining us for this special
HP Discover Performance podcast discussion. I'm Dana Gardner, Principal
Analyst at Interarbor Solutions, your co-host for this ongoing series
of HP-sponsored business success story. Thanks again for joining and
come back next time.

Transcript of a BriefingsDirect podcast
with AIG and HP on the challenges and solutions involved in managing a
global center of excellence for IT performance. Copyright Interarbor
Solutions, LLC, 2005-2012. All rights reserved.

Today, we present a sponsored podcast discussion on enterprise backup, why it’s broken, and how to fix it. We'll examine some major areas where the backup of enterprise information and data protection
are fragmented, complex, and inefficient. And then, we'll delve into
some new approaches that help simplify the data-protection process, keep
costs in check, and improve recovery confidence.

Here
to share insights on how data protection became such a mess and how new
techniques are being adopted to gain comprehensive and standard control
over the data lifecycle is John Maxwell, Vice President of Product Management for Data Protection at Quest Software, now part of Dell. [Disclosure: Quest Software is a sponsor of BriefingsDirect podcasts.]

Gardner:
John, let’s start with you. How did we get here? Why has
something seemingly as straightforward as backup become so
fragmented and disorganized?

Maxwell: Dana, I
think it’s a perfect storm, to use an overused cliché. If you look back
20 years ago, we had heterogeneous environments, but they were much
simpler. There were NetWare and UNIX, and there was this new thing called Windows. Virtualization didn’t even really exist. We backed up data to tape, and a lot of data was in terabytes, not petabytes.

Flash forward to 2012, and there’s more heterogeneity than ever. You have stalwart databases like Microsoft SQL Server and Oracle, but then you have new apps being built on MySQL.
You now have virtualization, and, in fact, we're at the point this year
where we're surpassing the 50 percent mark on the number of servers worldwide that are virtualized.

Now we're even starting to see
people running multiple hypervisors, so it’s not even just one
virtualization platform anymore, either. So the environment has gotten
bigger, much bigger than we ever thought it could or would. We have
numerous customers today that have data measured in petabytes, and we
have a lot more applications to deal with.

And last, but not least, we now have more data that’s deemed mission critical,
and by mission critical, I mean data that has to be recovered in less
than an hour. Surveys 10 years ago showed that in a typical IT
environment, 10 percent of the data was mission critical. Today, surveys
show that it’s 50 percent and more.

Gardner: George, did John leave anything out? From your perspective, why is it different now?

Crump:
A couple of things. I would dovetail into what he just mentioned about
mission criticality. There are definitely more platforms, and that’s a
challenge, but the expectation of the user is just higher. The term I
use for it is IT is getting "Facebooked."

High expectations

I've had many IT guys say to me, "One of the common responses I get from my users is, 'My Facebook
account is never down.'" So there is this really high expectation on
availability, returning data, and things of that nature that probably
isn’t really fair, but it’s reality.

One of the
reasons that more data is getting classified as mission critical is just
that the expectation that everything will be around forever is much
higher.

The other thing that we forget sometimes is
that the backup process, especially a network backup, probably unlike
any other, stresses every single component in the infrastructure. You're
pulling data off of a local storage device on a server, it’s going
through that server CPU and memory, it’s going down a network card, down a network cable, to a switch, to another card, into some sort of storage device, be it disk or tape.

So
there are 15 things that happen in a backup and all 15 things have to
go flawlessly. If one thing is broken, the backup fails, and, of course,
it’s the IT guy’s fault. It’s just a complex environment, and I don’t
know of another process that pushes on all aspects of the environment in
one fell swoop like backup does.

Gardner: So
the stakes are higher, the expectations are higher, the scale and volume
and heterogeneity are all increased. What does this mean, John, for
those that are tasked with managing this, or trying to get a handle on it
as a process, rather than a technology-by-technology approach, really
looking at this at that life cycle? Has this now gone from being a
technical problem to a management or process problem?

Maxwell: It's both, because there are two issues here. One, you expect today's storage administrator, or sysadmin, to be a database administrator (DBA), a VMware administrator, a UNIX sysadmin, and a Windows admin. That’s a lot of responsibility, but that’s the fact.

A
lot of people think that they are going to have as deep level of
knowledge on how to recover a Windows server as they would an Oracle
database. That’s just not the case, and it's the same thing from a
product perspective, from a technology perspective.

Is
there really such thing as a backup product, the Swiss Army knife, that
does the best of everything? Probably not.

Is
there really such thing as a backup product, the Swiss Army knife, that
does the best of everything? Probably not, because being the best of
everything means different things to different accounts. It means one
thing for the small to medium-size business (SMB), and it could mean something altogether different for the enterprise.

We've
now gotten into a situation where we have the typical IT environment
using multiple backup products that, in most cases, have nothing in
common. They have a lot of hands in the pot trying to manage data
protection and restore data, and it has become a tangled mess.

Gardner:
Before we dive a little bit deeper into some of these major areas, I'd
like to just visit another issue that’s very top of mind for many
organizations, and that’s security, compliance, and business continuity
types of issues, risk mitigation issues. George Crump, how important is
that to consider, when you look at taking more of a comprehensive or a
holistic view of this backup and data-protection issue?

Disclosure laws

Crump:
It's a really critical issue, and there are two ramifications. Probably
the one that strikes fear in the heart of every CEO on the planet is
all the disclosure laws that exist now that say that, when you lose a
customer’s data, you have to let him know. Unfortunately, probably the
only effective way to do that is to let everybody know.

I'm
sure everybody listening to this podcast has gotten more than one
letter already this year saying their Social Security number has been
exposed, things like that. I can think of three
or four I've already gotten this year.

So there is the
downside of legally having to admit you made a mistake, and then there
is the legal requirements of retaining information in case of a lawsuit.
The traditional thing was that if I got a discovery motion filed
against me, I needed to be able to pull this information back, and that
was one motivator. But the bigger motivator is having to disclose that
we did lose data.

And there's a new one coming in. We're hearing about big data, analytics,
and things like that. All of that is based on being able to access old
information in some form, pull it back from something, and be able to
analyze it.

That is leading many, many organizations
to not delete anything. If you don't delete anything, how do you store
it? A disk-only type of solution forever, as an example, is a pretty
expensive solution. I know disk has gotten a lot cheaper, but forever,
that’s a really long time to keep the lights on, so to speak.

We need to step back, take inventory of what we've got,
and choose the right solution to solve the problem at hand, whether
you're an SMB or an enterprise.

Gardner:
Let's look at this a bit more from the problem-solution perspective.
John, you've gotten a little bit into this notion that we have multiple
platforms, we have operating systems, hypervisors, application types, even appliances. What's the problem here and how do we start to develop a solution approach to it?

Maxwell:
The problem is we need to step back, take inventory of what we've got,
and choose the right solution to solve the problem at hand, whether
you're an SMB or an enterprise.

But the biggest thing
we have to address is, with the amount and complexity of the data, how
can we make sysadmins, storage administrators, and DBAs productive, and
how can we get them all on the same page? Why do each one of these roles
in IT have to use different products?

George and I
were talking earlier. One of the things that he brought up was that in a
lot of companies, data is getting backed up over and over by the DBA,
the VMware administrator, and the storage administrator, which is really
inefficient. We have to look at a holistic approach, and that may not
be one-size-fits-all. It may be choosing the right solutions, yet
providing a centered means for administration, reporting, monitoring,
etc.

Gardner: George, you've been around for a
while in this business, as have I, and there is a little bit of a déjà
vu here, where we're bringing a system-of-record approach to a set of
disparate technologies that were, at one time, best of breed and
necessary, but are increasingly part of a more solution or process
benefit.

So we understand the maturation process, but
is there anything different and specific about backup that makes this
even harder to move from that point solution, best of breed mentality,
into more of a comprehensive process standardization approach?

Demands and requirements

Crump:
It really ties into what John said. Every line of business is going to
have its own demands and requirements. To expect not even a backup
administrator, but an Oracle administrator that’s managing an Oracle
database for a line of business, to understand the nuances of that
business and how they want to keep things is a lot to ask.

To
tie into what John said, when backup is broken, the default survival
mechanism is to throw everything out, buy the latest enterprise
solution, put the stake in the ground, and force everybody to centralize
on that one item. That works to a degree, but in every project we've
been involved with, there are always three or four exceptions. That
means it really didn’t work. You didn't really centralize.

Then
there are covert operations of backups happening, where people are
backing up data and not telling anybody, because they still don't trust
the enterprise application. Eventually, something new comes out. The
most immediate example is virtualization, which spawned the birth of
several different virtualized specific applications. So bringing all
that back in again becomes very difficult.

I agree
with John. What you need to do is give the users the tools they want.
Users are too sophisticated now for you to say, "This is where we are
going to back it up and you've got to live with it." They're just not
going to put up with that anymore. It won't work.

So give them the tools that they want. Centralize the process, but not the actual software. I think that's really the way to go.

Gardner:
So we recognize that one size fits all probably isn’t going to apply
here. We're going to have multiple point solutions. That means
integration at some level or multiple levels. That brings us to our next
major topic. How do we integrate well without compounding the
complexity and the problems set? John?

We’re keenly interested in leveraging those
technologies for the DBAs and sysadmins in ways that make their lives
easier and make sure they are more productive.

Maxwell:
We've been working on this now for almost two years here at Quest, and now at Dell, and we are launching in November,
something called NetVault XA.
“XA” stands for Extended Architecture. We have a portfolio of very rich
products that span the SMBs and the enterprise, with focus on virtual
backup, heterogeneous backup, instantaneous snapshots and deep
application recovery, and we’re keenly interested in leveraging those
technologies for the DBAs and sysadmins in ways that make their lives
easier and make sure they are more productive.

NetVault
XA solves some really big issues. First of all, it unifies the user
experience across products, and by user, I mean the sysadmin, the DBA,
and the storage administrator, across products. The initial release of
NetVault XA will support both our vRanger and NetVault Backup, as well as our NetVault SmartDisk product, and next year, we'll be adding even more of our products under NetVault XA as well.

So now we've provided a common means of administration. We have one UI.
You don’t have to learn something different. Everyone can work on the
same product, yet based on your login ID, you will have access to
different things, whether it's data or capabilities, such as restoring
an Oracle or SQL Server database, or restoring a virtual machine (VM).

That's
a common UI. A lot of vendors right now have a lot of solutions, but
they look like they're from three, four, or five different companies. We
want to provide a singular user experience, but that's just really the
icing on the cake with NetVault XA.

If we go down a
little deeper into NetVault XA, once it’s is installed, learning
alongside vRanger, NetVault, or both, it's going to self identify that
vRanger or NetVault environment, and it's going to allow you to manage
it the way that you have already set about from that ability.

New approach

We're
really delivering a new approach here, one we think is going to be
unique in the industry. That's the ability to logically group data and
applications within lines of business.

You gave an
example earlier of Oracle. Oracle is not an application. Oracle is a
platform for applications, and sometimes applications span databases,
file systems, and multiple servers. You need to be looking at that from a
holistic level, meaning what makes up application A, what makes up
application B, C, D, etc.?

Then, what are the service
levels for those applications? How mission critical are they? Are they
in that 50 percent of data that we've seen from surveys, or are they
data that we restored from a week ago? It wouldn’t matter, but then,
again, it's having one tool that everyone can use. So you now have a
whole different user experience and you're taking up a whole different
approach to data protection.

Gardner: This is
really interesting. I've seen a demo of this and I was very impressed.
One of the things that jumped out at me was the fact that you're not
just throwing a GUI overlay on a variety of products and calling it
integration.

There really seems to be a drilling down
into these technologies and surfacing information to such a degree that
it strikes me as similar to what IT service management (ITSM)
did for managing IT systems at a higher level. We're now bringing that
to a discrete portion backup and recovery. Does that sound about right,
George, or did I overstate it?

We're
really delivering a new approach here, one we think is going to be
unique in the industry. That's the ability to logically group data and
applications within lines of business.

Crump: No, that's
dead-on. The benefits of that type of architecture are going to be
substantial. Imagine if you are the vRanger programmer, when all this
started. Instead of having to write half of the backend, you could just
plug into a framework that already existed and then focus most of your
attention on the particular application or environment that you are
going to protect.

You can be releasing the equivalent
of vRanger 6 on vRanger 1, because you wouldn’t have to go write this
backend that already existed. Also, if you think about it, you end up
with a much more reliable software product, because now you're building
on a library class that will have been well tested and proven.

Say you want to implement deduplication
in a new version of the product or a new product. Instead of having to
rewrite your own deduplication engine, just leverage the engine that's
already there.

Gardner: John, it sounds a little
bit like we're getting the best of both worlds, that is to say the
ability to support a lot of point solutions, allowing the tools that the
particular overseer of that technology wants to use, but bringing this
now into the realm of policy.

It's something you can
apply rules to, that you can bring into concert with other IT management
approaches or tasks, and then gain better visibility into what is
actually going on and then tweak. So amplify for me why this is
standardization, but not at the cost of losing that Swiss Army knife
approach to the right tool for the right problem?

One common means

Maxwell:
First of all, by having one common means, whether you're a DBA, a
sysadmin, a VMware administrator, or a storage administrator, this way
you are all on the same page. You can have people all buying into one
way of doing things, so we don't have this data being backed up two or
three times.

But the other thing that you get, and this
is a big issue now, is protecting multiple sites. When we talk about
multiple sites, people sometimes say, "You mean multiple data centers. What about all those remote office branch offices?" That right now is a big issue that we see customers running into.

The
beauty of NetVault XA is I can now have various solutions implemented,
whether it's vRanger running remotely or NetVault in a branch office,
and I can be managing it. I can manage all aspects of it to make sure
that those backups are running properly, or make sure replication is
working properly. It could be halfway around the country or halfway
around the world, and this way we have consistency.

Speaking
of reporting, as you said earlier, what about a dashboard for
management? One of our early users of NetVault XA is a large
multinational company with 18 data centers and 250,000 servers. They
have had to dedicate people to write service-level reports for their
backups. Now, with NetVault XA, they can literally give their IT
management, meaning their CIO and their CTOs, login IDs to NetVault XA,
and they can see a dashboard that’s been color coded.

It
can say, "Well, everything is green, so everything is protected,"
whether it's the Linux servers, Oracle databases, Exchange email,
whatever the case. So by being able to reduce that level of complexity
into a single pane of glass -- I know it's a cliché, but it really is --
it's really very powerful for large organizations and small.

I can manage all aspects of it to make sure
that those backups are running properly, or make sure replication is
working properly.

Even
if you have two or three locations and you're only 500 employees,
wouldn’t it be nice to have the ability to look at your backups, your
replicas, and your snapshots, whether they're in the data center or in
branch offices, and whether you're a sysadmin, DBA, storage
administrator, to be using one common interface and one common set of
rules to all basically all get on the same plane?

Gardner: Let's revisit the issue that George was talking about, eDiscovery,
making sure that nothing falls through the cracks, because with
Murphy’s Law rampant, that's going to be the thing that somebody is
going to do eDiscovery on. It seems to me you're gaining some
confidence, some sense of guarantees, that whatever service-level agreements (SLAs) and compliance regulatory issues are there, you can start to check these off and gain some automated assurance.

Help me better understand John why the NetVault XA has, for lack of a better word, some sort of a confidence benefit to it?

Maxwell:
Well, the thing is that not only have we built things into NetVault XA,
where it's going to do auto discovery of how you have vRanger and
NetVault set up and other products down the road, but it's going to give
you some visibility into your environment, like how many VMs are out
there? Are all those VMs getting protected?

I was just at VMworld Barcelona
a couple of weeks ago, and VMware has made it incredibly simple now to
provision VMs and the associated storage. You've got people powering up
and powering down VMs at will. How do you know that you're protecting
them?

Dispersed operations

Also
at an event this week in Europe, I ran into a user in an emerging
country in Eastern Europe, and they have over 1,000 servers, most of
which are not being protected. It's a very dispersed operation, and
people can implement servers here and there, and they don't know what
half the stuff is.

So it's having a means to take an
inventory and ensure that the servers are being maintained, that
everything is being protected, because next to your employees, your data
is the most important asset that you have.

Data is everywhere now. It’s in mobile devices. It certainly could be in cloud-based apps. That's one of the things that we didn’t talk about. At Quest we use seven software-as-a-service (SaaS)-based applications, meaning they're big parts, whether it's Salesforce.com or our helpdesk systems, or even Office 365.
This is mission-critical corporate data that doesn’t run in our own
data center. How am I protecting that? Am I even cognizant of it?

The
cloud has made things even more interesting, just as virtualization has
made it more interesting over the past couple of years. With NetVault
XA, we give you that one single pane of glass with which you can report,
analyze, and manage all of your data.

Gardner:
Do we have any instances where we have had users, beta customers
perhaps, putting this to use, and do we have any metrics of success?
What are they getting from it? It's great to have confidence, it's great
to have a single view, but are they reducing expenses? Do they have a
real measurement of how their complexity has been reduced? What are the
tangibles, John?

Now, this person can focus on ensuring that
operating systems are maintained, working with end users.

Maxwell: Well, one of the
tangibles is the example of the customer that has 18 data centers,
because they have a finite-sized group that manage the backups. That
team is not going to grow. So if they have to have two or three people
in that team just working on writing reports, going out and looking
manually at data, and creating their own custom reports, that's not a
good use of their time.

Now, those people can do things
that they should be doing, which is going out and making sure that data
is being protected, going out and testing disaster recovery (DR) plans, and so forth. Some people were tasked with jobs that aren’t very much fun, and that’s now all been automated.

Now
they can get down to brass tacks, which is ensuring that, for an
enterprise with a quarter million servers, everything is protected and
it's protected the way that people think they are going to be protected,
meaning the service levels they have in place can be met.

We
also have to remember that NetVault XA brings many benefits to our
Ranger customer base as well. We have accounts with maybe one home
office and maybe two or three remote labs or remote sales offices. We've
talked to a couple of vRanger customers who now implement vRanger
remotely. In these shops, there is no storage administrator. It's the
sysadmin, the VMware administrator, or the Windows administrator. So
they didn’t have the luxury like the big accounts to have people do
that.

Now, this person can focus on ensuring that
operating systems are maintained, working with end users. A lot of the
tasks they were previously forced to do took up a lot of their time.
Now, with NetVault XA, they can very quickly look at everything, give
that health check that everything is okay, and control multiple
locations of vRanger from one central console.

Mobile devices

Gardner:
Just to be clear John, this console is something you can view as a web
interface, and I'm assuming therefore also through mobile devices. I'm
going to guess that at some point, there will perhaps be even a more
native application for some of the prominent mobile platforms.

Maxwell: It’s funny that you mentioned that. This is an HTML5-based application. So it's very new, very fresh, and very graphical. If you look at the UI, it was designed with tablets and laptops in mind. It's gotten to where you can do controls with your thumbs, assuming you're running this on a tablet.

In-house,
and with early support customers, you can log into this remotely via
laptops, or tablet computing. We even have some people using them on
mobile phones, even though we're not quite there yet. I'm talking about
the form factor of how the screens light up, but we will definitely be
going that way. So a sysadmin or storage administrator can have at their
fingertips the status of what’s going on in the data-protection
environment.

What's nice is because this is a thin
client, a web UI, you can define user IDs not only for the sysadmins and
DBAs and storage administrators, but like I said earlier, IT
management.

So if your boss, or your boss’ boss, wants
to dial in and see the health of things, how much data you’re
protecting, how much data is being replicated, what data is being
protected up in the cloud, which is on-prem, all of that sort of stuff,
they can now have a dashboard approach to seeing it all. That’s going to
make everyone more productive, and it's going to give them a better
sense that this data is being protected, and they can sleep at night.

If you don’t have a way to manage and see all of your data
protection assets, it's really just a lot of talk.

Gardner:
George, we spoke earlier about these natural waves of maturation that
have occurred throughout the history of IT. As you look at the landscape
for data protection, backup, or storage, how impactful is this in that
general maturation process? Is Quest, with its NetVault XA, taking a
baby step here, or is this something that gets us a bit more into a
fuller, mature outcome, when it comes to the process of data lifecycle?

Crump:
Actually, it does two things. Number one, from the process perspective,
it allows there to actually be a process. It's nice to talk about
backup process and have a process for protection and a process to
recover, but if you don’t have a way to manage and see all of your data
protection assets, it's really just a lot of talk.

You can't run a process like we are talking about in today’s data center with virtualization and things like that off of an Excel spreadsheet.
It's just not going to work. It's nowhere near dynamic enough. So
number one, it enables the fact of having a conversation about process.

Number
two, it brings flexibility. Because the only other way you could have
had that conversation about process, as I said before, would be to throw
everything out, pick one application, and suffer the consequences,
which would be not ideal support for every single platform.

To sum it up, it's really an enabler to creating a real data-protection process or workflow.

Gardner:
Okay. We're going to have to wrap it up pretty soon, but we've
mentioned mobile access, and cloud. I wonder if there's anything else
coming down the trend pike, if you will, that will make this even more
important.

The economy

I
come back to our economy. We're still not growing as fast as many
people would like, and therefore companies are not just able to grow
their top line. They have to look to increase their bottom line through
efficiency and deduplication, finding redundancy, cutting down on
storage, cutting down energy cost, simplifying, or centralizing data
centers into a larger but more efficient and therefore fewer facilities,
etc.

Is there anything here, and I will open this up
to both John and George, that we can look to in the future that strikes
some of these issues around efficiency and productivity, or perhaps
there are other trends that will make having a process approach to a
data lifecycle and backup and recovery even more important?

Maxwell:
Dana, you hit on something that's really near and dear to my heart,
which is data deduplication. We have a very broad strategy. We offer our
own software-based dedupe. We support every major hardware based dedupe
appliance out there, and we're now adding support for Dell’s DR Series,
DR4000 dedupe appliances.
But we're still very much committed to tape, and we're building
initiatives based on storing data in the cloud and backing up,
replicating, failover, and so forth.

One of the things
that we built into NetVault XA that's separate from the policy
management and online monitoring is that we now have historical data.
This is going to give you the ability to do some capacity management and
capacity planning and see what the utilization is.

How
much storage are your backups taking? What's the most optimum number of
generations? Where are you keeping that data? Is some data being kept
too long? Is some data not being kept long enough?

For every ounce of flexibility,
it feels like we have added two ounces of complexity, and it's
something we just can't afford to deal with.

By
offering a broad strategy that says we support a plethora of backup
targets, whether it's tape, special-purpose backup appliances,
software-based dedupe, or even the cloud, we're giving customers
flexibility, because they have unique needs and they have different
needs, based on service levels or budgets. We want to make them
flexible, because, going back to our original discussion, one size
doesn’t fit all.

Gardner: I think we can sum
that up as just being more intelligent, being more empowered, and having
the visibility into your data. Anything else, George, that we should
consider as we think about the future, when it comes to these issues on
backup and recovery and data integrity?

Crump:
Just to tie in with what John said, we need flexibility that doesn’t add
complexity. Almost everything we've done so far in the environment up
to now, has added flexibility, but also, for every ounce of flexibility,
it feels like we have added two ounces of complexity, and it's
something we just can't afford to deal with. So that's really the key
thing.

Looking forward, at least on the horizon, I
don't see a big shift, something like virtualization that we need to be
overly concerned with. What I do see is the virtual environment becoming
more and more challenging, as we stack more and more VMs on it. The
amount of I/O and the amount of data protection process that will
surround every host is going to continue to increase. So the time is now
to really get the bull by the horns and institute a process that will
scale with the business long-term.

Gardner:
Well, great. We've been enjoying a conversation, and you have been
listening to a sponsored BriefingsDirect podcast on new approaches that
help simplify the data-protection process and help keep cost in check,
while also improving recovery confidence. We've seen how solving data
protection complexity and availability can greatly help enterprises gain
a comprehensive and standardized control approach to their data and
that data’s lifecycle.

So I would like to thank our
guests, John Maxwell, Vice President of Product Management for Data
Protection at Quest. Thanks, John.

Maxwell: Thank you, Dana.

Gardner: And also George Crump, Lead Analyst at Storage Switzerland. Thank you, George.

Crump: Thanks for having me.

Gardner:
This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks
to you, our audience, for listening, and do come back next time.

Transcript
of a BriefingsDirect podcast on new solutions to solve the growing need for more
reliable and less cumbersome data backups, despite increasingly data-intensive
environments. Copyright Interarbor
Solutions, LLC, 2005-2012. All rights reserved.

Once again, we're focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end-users alike. We're now joined by our co-host for this sponsored podcast series, Chief Software Evangelist at HP, Paul Muller. Hello, Paul, welcome back.

Paul Muller: Dana, it's good to be back. How are you?

Gardner: I'm well. Are you still in San Francisco?

Muller: Still in San Francisco, and it’s another lovely day.

Gardner: Very good. We're also here with Raf Los. He is the Chief Security Evangelist at HP. Welcome back, Raf, how are you? [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Raf Los: I'm well. Thank you.

Gardner: And where are you joining us from today?

Los: I'm in Houston, Texas, today.

Gardner: We have a fascinating show today, because we're going to learn how regional healthcare services provider Lake Health in Ohio has matured from deploying security technologies to becoming more of a comprehensive risk-reduction practice provider internally for its own consumers.

We're
going to learn how Lake Health's Information Security Officer has been
expanding the breadth and depth of risk management there to a more
holistic level, and we're even going to discuss how they've gone about
deciding for which risk and compliance services to seek outside
providers and which to retain and keep inside, or on premises.

With that, please join me in welcoming our special guest, Keith Duemling. He is the Information Security Officer at Lake Health. Welcome, Keith.

Keith Duemling: Hi. How are you guys doing today?

Gardner: We're doing very well.

Keith, let me begin our discussion with a high level, almost a philosophical, question for you. Many people are practicing IT security
and they're employing products and technologies. They're putting in
best practices and methods, of course, but it seems to me that you have a
different take.

You've almost abstracted this up to information assurance -- even quality assurance --
for knowledge, information, and privacy. Tell me how that higher
abstraction works, and why you think it's more important or more
successful than just IT security?

Duemling: If
you look at the history of information security at Lake Health, we
started like most other organizations. We were very technology focused,
implementing one or two point solutions to address specific issues. As
our program evolved, we started to change how we looked at it and
considered it less of a pure privacy issue and more of a privacy and
quality issue.

Go back to the old tenets of security,
with confidentiality, integrity, and availability. We started thinking
that, of those three, we really focused on the confidentiality, but as
an industry, we haven't focused that much on the integrity, and the
integrity is closely tied to the quality.

Information assurance

So
we wanted to transform our program into an information-assurance
program, so that we could allow our clinicians and other caregivers to
have the highest level of assurance that the information they're making
decisions based on is accurate and is available, when it needs to be, so
that they feel comfortable in what they are doing.

So
it's not just protecting information from being disclosed, but it's
protecting information so that it's the right information, at the right
time, for the right patient, for the right plan of care. From a high
level, the program has evolved from simple origins to more of a holistic
type of analysis, where we look at the program and how it will impact
patient care and the quality of that patient care.

Gardner:
It sounds like what I used to hear -- and it shows how long I have been
around -- in the manufacturing sector. I covered that 20 years ago.
They talked about a move towards quality, and rather than just looking
at minute or specific parts of a process, they had to look at it in
total. It was a maturity move on behalf of the manufacturers, at that
time.

Raf Los, do you see this as sort of a catching up
for IT and for security practices that are maybe 20 years behind where
manufacturing was?

Los: More or less, Dana.
Where Keith’s group is going, and where many organizations are evolving
to, is a practice that focuses less on “doing security” and more on
enabling the enterprise and keeping quality high. After all, security is
simply a function, one of the three pillars of quality. We look at does
it perform, does it function, and is it secure?

So it's a natural expansion of this, sort of a Six Sigma-esque approach to the business, where IT is catching up, as you’ve aptly put it. So I tend to agree with it.

Gardner:
Of course, compliance is really important in the healthcare field.
Keith, tell us how your approach may also be benefiting you, not just in
the quality of the information, but helping you with your regulatory and compliance requirements too?

Duemling:
In the approach that we’ve taken, we haven’t tried to change the
dynamics that significantly. We've just tried to look at the other side
of the coin, when it comes to security. We find that a lot of the
controls that we put in place for security benefit from an assurance
standpoint, and the same controls for assurance also benefit from a
security standpoint.

As long as we align what we're doing to industry-accepted frameworks, whether it’d be NIST or ISO,
and then add the healthcare-specific elements on top of that, we find
that that gives us a good architecture to continue our program and be
mindful of the assurance aspect as well as the security side.

In
doing so, we're able to implement controls that span multiple
compliance elements, so that we are not duplicating our efforts, missing
something, or trying to reinvent the wheel. Obviously, we're not the
first healthcare provider, and we certainly won't be the last one, to go
through the challenges of compliance in the United States -- and how
it's ever changing.

Add-on benefits

Gardner:
Are there some other ancillary or add-on benefits from your approach? I
am thinking of being able to be proactive, rather than reactive, on
certain elements of your requirements. Or do you have an ability to
compress the amount of time that you can react, so that you can be more
real time in how you adjust. What are the other benefits to your
approach?

Duemling: One of the other benefits of
the approach is that we look at the data itself or the business
function and try to understand the risks associated with it and the
importance of those functions and the availability of the data. When we
put the controls and the protective measures around that, we typically
find that if we're looking specifically at what the target is when we
implement the control, our controls will last better and they will
defend from multiple threats.

So we're not putting in a
point solution to protect against the buzzword of the day. We're trying
to put in technologies and practices that will improve the process and
make it more resilient from both what the threats are today and what
they are in the future.

Gardner: Paul Muller,
any thoughts about what you're hearing and how this might relate to the
larger marketplace that you're familiar with from some of the other
clients and enterprises that you're talking to?

Muller:
A couple of observations. The first is that we need to be really
careful when we think about compliance. It's something of a security
blanket, not so much for security executives. I think InfoSec
security executives understand the role of compliance, but it can give
business leaders a false sense of security to say, "Hey, we passed our
audit, so we're compliant."

There was a famous case of a very large
financial-services institution that had been through five separate
audits, all of which gave them a very clear bill of health. But it was
very clear from some of the honey pots
they put in place in terms of certain data that they were leaking data
through to a market-based adversary. In other words, somebody was
selling their data, and it wasn’t until the sixth audit that it
uncovered the source of the problem.

So we need to be
really careful. Compliance is actually the low bar. We're dealing with a
market-based adversary. That is, someone will make money from your
data. It's not the nation-state that we need to worry about so much as
the people who are looking to exploit the value of your information.

Of
course, once money and profit enter the equation, there are a lot of
people very interested in automating and mechanizing their attack
against your defense, and that attack surface is obviously constantly
increasing.

The challenge, particularly in examples such as the one that Keith is talking about, comes in the mid-sized organizations.
They've got all of the compliance requirements, the complexity, and the
fascinating, or interesting, data from the point of view from a
market-based adversary. They have all of that great data, but don't
necessarily have the scale and the people to be able to protect that.

Balancing needs

It's
a question of how you balance the needs of a large enterprise with the
resources of a mid-sized organization. I don't know, Keith, whether
you've had any experience of that problem.

Duemling:
I have all too many times experienced that problem that you’re defining
right there. We find that technology that helps us to automate our
situational awareness is something that's key for us. We can take the
very small staff that we have and make it so that we can respond to the
threats and have the visibility that we need to answer those tough
questions with confidence, when we stand in front of the board or senior
management. We're able to go home and sleep at night and not be working
24×7.

Los: Keith, let me throw a question at
you, if you don't mind. We mentioned automation, and everybody that I
have with this conversation with tends to -- I don't want to say
oversimplify -- but can have an over-reliance on automation technology.

In
an organization of your size, you’re right smack in the middle of that,
too big not to be a target, too small to have all the resources you've
ever wanted to defend yourself. How do you keep from being overrun by
automation -- too many dashboards, too many red lights blinking at you, so you can actually make sense of any of this?

Duemling: That's actually one of the reasons we selected ArcSight.
We had too many dashboards for our very small staff to manage, and we
didn’t want Monday to be the dashboard for Product A, Tuesday for
Product B, and things of that nature.

So we figured we
would aggregate them and create the master dashboard, which we could use
to have a very high-level, high-altitude view, drill down into the
specific events, and then start referring them to subject-matter
experts. We wanted to have just those really sensitive events bubble up
to the surface, so that we could respond to them and they wouldn’t get
lost in the maze of dashboards.

We wanted to have just those really sensitive events bubble up
to the surface, so that we could respond to them and they wouldn’t get
lost in the maze of dashboards.

Gardner: Keith,
before we go any further, for the benefit of our listeners, please tell
us a bit about Lake Health, the size of your organization, the types of
services you provide, and even the nature of your organization. Are you
non-profit, publicly-traded, that sort of thing?

Duemling:
Sure. Lake Health is a not-for-profit healthcare system. We’re about 45
minutes outside of Cleveland, Ohio. We have two freestanding hospitals
and approximately 16 satellite sites of different sizes that provide
healthcare to the citizens of the county that we’re in and three
adjacent counties.

We have three freestanding 24×7
emergency rooms (ERs), which treat all kinds of injuries, from the
simple broken fingers to severe car accidents, heart-attacks, things of
that nature.

We also have partnerships with a number
of very large healthcare systems in the region, and organizations of
that size. We send some of our more critically injured patients to those
providers, and they will send some of their patients to us for more
localized, smaller care closer to their place of residence.

We’ve grown from a single, small community hospital to the organization that we have now.

Career path

Gardner: And how about you? What's been your trajectory in terms of how long you've worked there and the career path that you followed?

Duemling: I've been with Lake Health for a little under eight years now. I started as a systems administrator, managing a set of Windows servers, and evolved to my current position over time.

Typically,
when I started, an individual was assigned a set of projects to work
on, and I was assigned a series of security projects. I had a security
background that I came to the organization with. Over time, those
projects congealed into the security program that we have now, and if I
am not mistaken, it's in its third iteration right now. We seem to be on
a three-year run for our security program, before it goes through a
major retrofit.

Gardner: How did you unify all
of these different elements under what you call a program for security?
What were some of the steps you needed to take? We heard a little bit
about the dashboard issue, but I'm trying to get a larger perspective on
how you unified culture around this notion of information assurance?

Duemling:
We started within the information and technology department where we
had to really do an evaluation of what technologies we had in place?
What are different individuals responsible for, and who do they report
to? Once we found that there was this sprinkling of technology and
responsibilities throughout the department, we had to put together a
plan to unify that all into one program that has one set of objectives,
is under one central leadership, and has its clear marching orders.

We have to improve our relationship with compliance and we
have to improve our relationship with physical security.

Then
once we accomplished that, we started to do the same thing across the
entire organization. We improved our relationship within IT, not just
with sub-departments within IT, but then we also started to look outside
and said, "We have to improve our relationship with compliance and we
have to improve our relationship with physical security."

So
we’re unifying our security program under the mantra of risk, and
that's bringing all the different departments that are related to risk
into the same camp, where we can exchange notes and drive towards a
bigger enterprise focused set of objectives.

Gardner: Raf, this sounds a bit like the resiliency concepts
that you've been talking about in the past few months. Is what we're
hearing from Keith enterprise resiliency or is there a difference that
we should appreciate?

Los: No, he's dead-on. At
the end of the day, what security is chartered with, along with most of
the rest of IT, as I said earlier, is empowering the organization to do
its work. Lake Health does not exist for the sole purpose of security,
and clearly they get that.

That's step one on this
journey of understanding what the purpose of an IT security organization
is. Along the broader concept of resiliency, one of the things that we
look at in terms of security and its contribution to the business is,
can the organization take a hit and continue, get back up to speed, and
continue working?

Not if, but when

Most
organization technologists by now know it’s not a question of if you’re
going to be hacked or attacked, but a question of when, and how you’re
going to respond to that by allowing the intelligent use of automation,
the aligning towards business goals, and understanding the organization,
and what's critical in the organization.

They rely on critical systems,
critical patient-care system. That goes straight to the enterprise
resiliency angle. If you get hacked and your network goes down, IT
security is going to be fighting that hack. At the same time, we need to
realize how we separate the bad guys from the patient and the
critical-care system, so that our doctors and nurses and support
professionals can go back to saving lives, and making people’s lives
better, while we contain the issue and eradicate it from our system.

So
that's perfectly along those lines, and as you pointed out, I've been
hearing a lot about that lately. It's more than just about security, and
that's a fantastic revelation to wake up to every morning.

Gardner:
Keith, before we go and learn more about how you examine all of the
things that you need to do in this program and then perhaps start
thinking about what's core, what's context, and how to best source
those, I’d like to hear a little bit about the payoffs.

You've
been doing this, as you pointed, out for several years. Are there some
lessons that you can point to in terms of payback? Clearly, if you are
operating well and you've got good data and privacy, that's a reward in
its own. But, are there some other returns on investment (ROI),
maybe it's a softer return like an innovation benefit or being able to
devote more staff to innovation. Maybe you can line-up a few of the
paybacks when this goes as it should?

As an organization, we were able to wage that war,
for lack of a better term, while the business continued to function

Duemling:
I'd probably put forward two paybacks. One is about some earlier
comments I heard. We, as an organization, did suffer a specific event in
our history, where we were fighting a threat, while it was expected
that our facilities would continue operating. Because of the significant
size of that threat, we had degraded services, but we were able to
continue -- patients were able to continue coming in, being treated,
things of that nature.

That happened earlier in our
program, but it didn’t happen to the point where we didn’t have a
program in place. So, as an organization, we were able to wage that war,
for lack of a better term, while the business continued to function.

Although
those were some challenging times for us, and luckily there was no
patient data directly or indirectly involved with that, it was a good
payoff that we were able to continue to fight the battle while the
operations of the organization continued. We didn't have to shut down
the facilities and inconvenience the patients or potentially jeopardize
patient safety and/or care.

A second payoff is, if we
fast forward to where we are now, lessons learned, technologies put in
place, and things of that nature. We have a greater ability to answer
those questions, when people put them to us, whether it's a middle
manager, senior manager, or the board. What are some of the threats
we're seeing? How are we defending ourselves? What is the volume of the
challenge? We're able to answer those questions with actual answers as
opposed to, "I don't know," or "I'll get back to you."

So
we can demonstrate more of an ROI through an improvement in situational
awareness and security intelligence that we didn't have three, four, or
five years earlier in the program’s life. And tools like ArcSight
and some of the other technologies that we have, that aggregate that
for us, get rid of the noise, and just let us hone in on the crown
jewels of the information are really helpful for us to answer those
questions.

System of record

Gardner: How about looking at this through the lens of a system of record
perspective, an architectural term perhaps, has that single view, that
single pane of glass, allowed you to gain the sense that you have a
system of record or systems of record. Has that been your goal, or has
that been perhaps even an unintended consequence?

Duemling:
It's actually kind of both. One, it retains information that sometimes
you wish you didn't retain, but that's the fact of what the device and
the technology are in the solution and it’s meeting its objective.

But
it is nice to have that historical system of record, to use your term,
where you can see the historical events as they unfold and explain to
someone, via one dashboard or one image, as a situation evolves.

Then,
you can use that for forensic analysis, documentation, presentation, or
legal to show the change in the threat landscape related to a specific
incident, or from a higher level, a specific technology that's providing
its statistical information into ArcSight, but you can then do trending
and analysis on.

It is also good to get towards a
single unified dashboard where you can see all of the security events
that are occurring in the environment or outside the environment that
you are pulling in, like edit from a disaster recovery (DR)
site. You have that single dashboard where if you think there's a
problem, you can go to that, start drilling down, and answer that
question in a relatively short period of time.

Let's not undervalue
the value of confidence -- not having to second guess not just the
integrity of your systems and your applications.

Muller:
I'll go back to Keith’s opening comments as well. Let's not undervalue
the value of confidence -- not having to second guess not just the
integrity of your systems and your applications, but to second guess the
value of information. It's one thing when we're talking about the
integrity of the bank balance of a customer. Let's be clear that that's
important, but it can also be corrected just as easily as it can be
modified.

When you're talking about confidence in
patient data, medical imaging, drug dispensations, and so forth, that’s
the sort of information you can't afford to lack confidence in, because
you need to make split-second decisions that will obviously have an
impact on somebody’s life.

Duemling: I would add
to that. Like you were saying, you can undo an incorrect or a
fraudulent bank transfer, but you cannot undo something such as the
integrity of your blood bank. If your blood bank has values that
randomly change or if you put the wrong type of blood into a patient,
you cannot undo those without there being a definitely negative patient
outcome.

Los: Keith, along those lines, do you
have separate critical systems that you have different levels of
classifications for that are defended and held to a different standard
of resilience, or do you have a network wide classification? I am just
curious how you figure out what gets the most attention or what gets the
highest concentration of security?

Duemling:
The old model of security in healthcare environments was to have a very
flat type of architecture, from both networking, support, and a security
standpoint. As healthcare continues to modernize for multiple reasons,
there's a need to build islands or castles. That’s the term we use
internally, "castles," to describe it. You put additional controls,
monitoring, and integrity checks in place around specific areas, where
the data is the most valuable and the integrity is the most critical,
because there are systems in a healthcare environment that are more
critical than others.

Obviously, as we talked about
earlier, the ones that are used for clinical decision making are
technically more critical than the ones that are used for financial
compensation as it results from treating patients. So although it's
important to get paid, it's more important that patient safety is
maintained at all times.

Limited tools

We
can't necessarily defend all of our vast resources with the limited set
of tools that we have. So we've tried to pick the ones that are the
most critical to us and that's where we've tried to put all the
hardening steps in place from the beginning, and we will continue to
expand from there.

Gardner: Keith, let's take
this now to that question about managing your resources. Obviously,
because you are in that Goldilocks position, as Raf pointed out -- not
too big, not too little -- you have to be choosy. You don't have
unlimited resources, but you have a very serious and significant
responsibility.

Have you been starting to look at what is core and what is context,
what should be either outsourced or provided through some managed
services of some sort and what you would really like to retain control
over? How does that thought process about that problem pan out?

Duemling:
Absolutely, we look at every security project with the mindset of how
we can do this the most effectively and with the least amount of
resources that are diverted from the clinical environment to the
information security program.

That being said, security as a service, cloud-based technology,
outsourcing, whatever term you would like use, is definitely something
that we consider on a regular basis, when it comes to different types of
controls or processes that we have to be responsible for. Or professional services in the events of things like forensics, where you don’t do it on a regular basis, so you may not consider yourself an expert.

Some initiatives have gone premise-based and some have gone
security-as-a-service based. We are kind of a mix.

We
tend to do an evaluation of the likelihood of the threat materializing
or dependence on the technology, what offerings are out there, both as a
service and premise-based, what it would take from an internal resource
standpoint to adequately support and use a technology. Then, we try and
articulate that into a high-level summary of the different options,
with cost, pros and cons related to each.

Then,
typically our senior management will discuss all of those, and we'll try
and come to the decision that we think makes best for our
organizations, not just for that point, but for the next three to five
years. So some initiatives have gone premise-based and some have gone
security-as-a-service based. We are kind of a mix.

Gardner:
Paul Muller, as a cloud follower, a close follower, you've seen hybrid
services delivery arise in many different forms. I guess we're talking
here about hybrid security delivery. How do they come together in your
mind?

Muller: Exactly the same way. It is about
what Keith described as understanding particularly where, for example,
there is a high degree of specialization or skill required that is in
short supply, particularly in your geography.

It's
particularly true of security professionals that the bigger targets --
the banking institutions, defense, to a certain extent telecoms -- are
able to offer a price premium to some of these people and it can make it
hard to find the best quality stuff, particularly in mid-sized
organizations. Therefore, it sometimes makes more sense to procure those
staff and the services alongside them from outside of the organization.

Core intellectual property

Having said that, there are times when there is core intellectual property (IP)
of your organization, core capabilities, particularly around industry
vertical processes, where that level of expertise is not widely
understood.

It's too generic to be of value.
Healthcare is a great example, where the compliance requirement, plus
the particular or specific patient management systems, would be too
specific for a general-purpose service provider to add much value. It's a
question of blending that right to the capabilities.

I want to add that it's interesting that the security world tends to have a somewhat schizophrenic view of software as a service (SaaS). They will typically be okay with the idea of putting all of your sales pipeline and your customer data into a customer relationship management (CRM) system in the cloud, but will often have a negative reaction if you say let's use security SaaS.

So
often you will find that it's actually more palatable for the
organization culturally, when looked at maybe as a managed service,
rather than treating it as a SaaS, knowing, in other words, that there's
people behind it as well as software. I don't know. Raf, what are your
thoughts?

Los: Well, Paul, eloquently put.
There's still that stigma of cloud somehow magically meaning less
secure, and I work with that trepidation almost daily, like you do.

The
one aspect we need to make sure that we emphasize and understand is
that there are people behind all of this.

The
one aspect we need to make sure that we emphasize and understand is
that there are people behind all of this. This isn’t just some
automated scan, script, or thing. There are people behind a lot of this,
and the broad sense of why security really matters is the human element
of it.

So these hybrid types of services make sense,
because there are a lot of things and -- going back to that comment
about the size of the organization -- you can't do it all yourselves. If
you can, you can't do it well, whether you're a massive company or a
small one.

Knowing that fact, acknowledging that, and
being able to consume security services intelligently can be the
difference between getting lost in "dashboard hell" and having the right
information at the right time to make the right decision, based on
partnerships with the correct organizations.

I think
you summed it up well, but I just felt like I would add a little bit of
color to that, because that's a little bit of what I have been seeing.

Gardner:
It's interesting that a common thread for successful organizations is
knowing yourself well. It's also an indicator of maturity, of course. I
know that Paul is talking about this, and Raf as well, that those
organizations that know themselves well can better plot their future
architecturally and across comprehensive services. But it also sounds as
if this is really important, when it comes to deciding what services to
retain total control over or retain the resources that deploy them and
another set of choices.

Back to you, Keith. It sounds
like you have a good level of maturity. You have had a good opportunity
to know yourself and then to track your progress. Is that helping you
make these decisions about what's core or context in the design of your
risk-mitigation activities?

What you do well

Duemling:
Yes, it is. You have to know what you do well and also you have to know
the areas where you, as an organization, are not going to be able to
invest the time or the resources to get to a specific comfort level that
you would feel would be adequate for what you are trying to achieve.
Those are some of the things where we look to use security as a service.

We don't want to necessarily become experts on spam
filtering, so we know that there are companies that specialize in that.
We will leverage their investment, their technology, and their IP to
help defend us from email-borne threats and things of that nature.

We're
not going to try and get into the business of having a program or to
create an event-correlation engine. That's why we're going to go out and
look for the best-of-breed technologies out there to do it for us.

We'll
pick those different technologies, whether it's as a service or
premise-based and we'll implement those. That will allow us to invest in
the people that know our environment the best and intimately and who
can make decisions based on what those tools and those managed services
tell them.

They can be the boots on the ground, for
lack of a better term, making the decisions that are effective at the
time, with all the situational awareness that they need to resolve the
problem right then and there.

Security is more than just technology. It really is
the people, the process, and the technology.

Gardner: Keith,
you've got a little bit of 20/20 hindsight, having done this. For those
of our listeners who are perhaps at that level, where they are juggling
quite a few security products or technologies and they would like to
move into this notion of a program and would like to have a unified
view, any thoughts about getting started, any lessons learned that you
could share?

Duemling: I would say just a couple
of bullet points. Security is more than just technology. It really is
the people, the process, and the technology. You have to understand the
business that you are trying to protect. You have to understand that
security is there to support the business, not to be the business.

Probably
most importantly, when you want to evolve your security and set up
projects into an actual security program, you have to be able to talk
the language of the business to the people who run the business, so that
they understand that it’s a partnership and you are there to support
them, not to be a drain on their valuable resources.

Gardner: Raf, any thoughts to amplify or extend that?

Los:
I think he has put it brilliantly just now. IT security is a resource
and also a potential drain on resources. So the less we can take away
from anything else the organization is doing, while enabling them to
basically be better, deliver better, deliver smarter, and save more
lives and make people healthier, that is ultimately the goal.

If
there's nothing else that anybody takes away from a conversation like
this, IT security is just another enabler in the business and we should
really continue to treat it that way and work towards that goal.

Lessons learned

Gardner:
All right, last word to you today, Paul Muller. What sort of lessons
learned or perhaps perceptions from the example of Lake Health would you
amplify or extend?

Muller: I will just go back
to some of my earlier comments, which is, let’s remember that our
adversary is increasingly focused on the market opportunity of
exploiting the data that we have inside our organizations -- data in all
of its forms. Where there is profit, as I said, there will be a drive
for automation and best practices. They are also competing to hire the
best security people in the world.

But as a result of
that, and mixed in with the fact that we have this ever-increasing
attack surface, the vulnerabilities are increasing dramatically. The
statistic I saw from just October is that the cost of cyber crime has
risen by 40 percent and the attack frequency has doubled in the last 12
months. This is very real proof that this market forces are at work.

The
challenge that we have is educating our executives that compliance is
important, but it is the low bar. It is table stakes, when we think
about information and security. And particularly in the case of
mid-sized enterprises, as Raf pointed out, they have all of the
attractiveness as a target of a large enterprise, but not necessarily
the resources to be able to effectively detect and defend against those
sorts of attacks.

You need to find the right mix of
services, whether we call it hybrid, whether we call it cloud or managed
services, combined with your own on-premises services to make sure that
you're able to defend yourself responsibly.

Cyber crime has
risen by 40 percent and the attack frequency has doubled in the last 12
months. This is very real proof that this market forces are at work.

Gardner:
Very good. I am afraid we'll have to leave it there. I want to thank
our co-hosts today. We have been joined by Paul Muller, the Chief
Software Evangelist at HP. Thank you, Paul.

Muller: Great having been here again, Dana. Good to talk to you.

Gardner: And also Raf Los. He is the Chief Security Evangelist at HP. Thank you so much, Raf.

Los: Thanks for having me, Dana. And Keith, it has been a pleasure having the conversation.

Gardner:
And I'd like to thank our supporter for this series, HP Software, and
remind our audience to carry on the dialogue with Paul Muller through
the Discover Performance Group on LinkedIn, and also to follow Raf on
his popular blog, Following the White Rabbit.

And
you can always access this and other episodes in our HP Discover
Performance Podcast Series at hp.com and on iTunes under
BriefingsDirect.

And of course I want to thank our
very special guest today, with a very impressive story, Keith Duemling;
he is the Information Security Officer there at Lake Health. Thank you
so much, Keith.

Duemling: Thank you for the opportunity to share the information.

Gardner:
And lastly, I would like to thank our audience for joining us for this
special HP Discover Performance Podcast discussion. I am Dana Gardner,
Principal Analyst at Interarbor Solutions, your host for this ongoing
series of HP sponsored business success stories.